Windows does not control the hardware, in this case the Siemens PLC does. It's the same as the relationship between the engine management controller in your car and the Windows laptop that connects to it for diagnosis and reprogramming.
Centrifuges are not dangerous, only their product is. If they under speed they don't work right and if they overspeed they just break. Nor are they mission critical in the way an aircraft control computer or a furnace burner management system is. If they go wrong nobody dies and nobody gets hurt, you just have a delay in product delivery.
Hooked to a public network? There's no evidence it was nor does the programming station need to be to have been hit by Stuxnet. The programming PC need not be connected to the plant either except during maintenance just as in the engine management example. Stuxnet will infect any Siemens software installations it finds and then wait.
As you say network security is important. The trouble is even if you used the most vigorous regime  Stuxnet would still get through because of the 4 0day vulns it used. The MS bashers will say without a clue of how the real world of control systems works 'don't use Windows' but linux has it's bad hair days too as does OSX and any other system with this level of resources attacking it.
The fail here was that the attackers were able to know everything about their target and thus were able to craft the attack to get around whatever layers of protection were in place. Different layers or more layers would have been circumvented just the same.
 For example Stuxnet would get through the following:
Workstation only connected to PLC during maintenance. Workstation not connected to any network. Workstation has current AV updated daily manually. All USB drives  used are scanned on a separate PC with a different OS and different AV package every time they are used. Workstation user account is not Admin.
 Or whatever removable media you use to get the AV updates and software changes on.